Effective Techniques for Managing Understaffed Cybersecurity Teams

There is a lot of talk about the unfilled cybersecurity positions in both the public and private sectors. The focus is generally on what organizations can do to bolster their staff by attracting talented new employees. However, there is not nearly as much attention to techniques to improve management of the existing staff. The government has a great need for managers to recognize the downstream impact of running an understaffed team. Managers face the challenge of balancing organizational goals, maintaining morale, prioritizing work efforts and reducing attrition.

Being a manager is a difficult task in ideal situations, but overcoming the adversity of an extended period of time with an understaffed team is very trying for everyone involved. Effective managers are cognizant of the impacts on a team that is stretched too thin. They proactively deal with obstacles that commonly occur in reduced-staff situations. Before diving into the management practices for greater success, it is necessary to understand the challenges that exist:

• Burnout: Longer hours and more work will take a toll over time. Employees will eventually get fatigued and performance will suffer.
• Low Morale: As the workload increases and staffing gaps remain unfilled, it has a direct impact on the morale of existing staff.
• Unable to Realize the Benefits of Technology Investments: Limited staff often means that some things will get neglected. There will not be enough time to properly manage, tune or leverage security tools to their fullest extent.
• Less Opportunity for Personal Growth: A bare-bones staff often will have no time away for training opportunities.
• Limited On-The-Job Training: There is less time available to train and mentor the junior staff.
• Decrease in Planning: As stress and strain of overextended teams continues, the day-to-day becomes more reactionary than strategic.
• Increase in Mistakes: Fatigue will cause security analysts to miss important audit events or make errors in their investigations.
• Higher Turnover: Once the tipping point is reached, the existing staff will start to jump ship to find new opportunities.

The list of issues associated with understaffed teams can go on and on. It may vary slightly based on organization type, but the adverse impacts are generally the same. Managers can take the following actions to avoid or reduce the detrimental effects of circumstances related to understaffed teams:

• Increase Communication: Open lines of communication with all team members is crucial to establishing trust and understanding the concerns of each person. Situational awareness allows managers to properly manage their resources and be proactive about handling employee concerns.
• Focus on Priorities: Prioritize what is important and work strategically. Try to eliminate the “noise” and allow staff to work toward goals with limited distractions.
• Plan for Time off: Proactively set vacation schedules and give employees time off so they can recharge and do not feel like they can never get away.
• Career Conversations: Make time for career growth and goal discussions, even if they are informal. It is important for the team to feel their manager supports their career aspirations.
• Recognition: Continue to recognize and appreciate the hard work. Even in tough times, if employees feel valued and their work is meaningful, they will be less likely to resign for another opportunity.
• Engage other teams: Explore alternative approaches to accomplishing organizational goals. Some tasks may be suitable for other teams with greater numbers to take on.
• Managed Services: Engage managed service providers or consulting firms to determine if augmenting existing staff makes sense. Deferring ownership of arduous tasks to an outside organization may free up a lot of time for existing staff.
• Lead by Example: As the manager, it is important to lead by example through consistency and strong work ethic.

While all managers face some challenges, the trend in cybersecurity job openings will only exacerbate the struggles for cybersecurity managers upward more so than other technical disciplines. Studies by Cybersecurity Ventures predict that 3.5 million vacant cybersecurity jobs will exist in 2022. Cybersecurity practitioners need to have a strong foundation in management best practices to achieve success against increasing odds.